Status

Affected

Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.

Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.

For FIPS users, the issue is fixed in
bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available fromhttps://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.